Using NixOS on a laptop on which the keyboard isn’t detected when I need to type the password to decrypt disk, I had to find a solution. This problem is hardware related, not Linux or NixOS related.
I highly recommend using full disk encryption on every computer following a thief threat model. Having your computer stolen is bad, but if the thief has access to all your data, you will certainly be in trouble.
This was time to find how to use an usb memory stick to unlock the full disk encryption in case I don’t have my hands on an usb keyboard to unlock the computer.
There are 4 steps to enable unlocking the luks volume using a device.
- Create the key
- Add the key on the luks volume
- Write the key on the usb device
- Configure NixOS
First step, creating the file. The easiest way is to the following:
# dd if=/dev/urandom of=/root/key.bin bs=4096 count=1
This will create a 4096 bytes key. You can choose the size you want.
Second step is to register that key in the luks volume, you will be prompted for luks password when doing so.
# cryptsetup luksAddKey /dev/sda1 /root/key.bin
Then, it’s time to write the key to your usb device, I assume it
# dd if=/root/key.bin of=/dev/sdb bs=4096 count=1
And finally, you will need to configure NixOS to give the information
about the key. It’s important to give the correct size of the key.
Don’t forget to adapt
"crypted" to your luks volume name.
boot.initrd.luks.devices."crypted".keyFileSize = 4096; boot.initrd.luks.devices."crypted".keyFile = "/dev/sdb";
Rebuild your system with
nixos-rebuild switch and voilà!
I recommend using the fallback to password feature so if you
lose or don’t have your memory stick, you can type the password to
unlock the disk. Note that you need to not put anything looking
/dev/sdb because if it exists and no key are there, the
system won’t ask for password, and you will need to reboot.
boot.initrd.luks.devices."crypted".fallbackToPassword = true;
It’s also possible to write the key in a partition or at a specific
offset into your memory disk. For this, look at